Surviving the Storm: Protecting Corporate IP In The Age Of Acquisitions

The recent storm of acquisitions among enterprise technology companies in just the past few weeks totals over $105 billion in value, and presents new challenges and demands for everyone from the CEO, legal department, to IT administrators.

An acquisition, by definition, is the transfer of value, much of which is intellectual property in the form of code, patents, customer and channel relationships, employee experience, insights and work. For the acquiring company, having knowledge of what intellectual property that you now own at any given time — as well as who has access to this data, where it is located on the network and making sure it stays there — is paramount to protecting the economic value of the transaction.

Yet, visibility into company IP, especially in real-time and on-demand, is not always easy for C-levels or IT leaders. In reality, it is difficult to assess what is owned across your network even in the most stable of times, and especially difficult during the chaotic times before, during and after an acquisition or merger. This lack of awareness can bring its own set of risks, especially when it comes to data availability, data loss, and meeting necessary legal compliance standards.

The first aspect of protecting IP is the handling of data itself. When two companies come together, massive data sets are combined, and large data migrations are needed. The two disparate data systems are, over time, consolidated. This well known pharmaceutical company is a good example of this. The IT team needs to be able to ingest petabytes of data from a new company almost overnight. Sometimes this is research data, other times it is data from companies they had acquired. The rigor and speed at which a company does this can be determined by the level of regulation in their industry. In a highly regulated industry like pharmaceuticals, if data were ever lost or irretrievable, hundreds of millions of dollars would potentially be at stake, so data sets need to be accounted for and available at all times.

Another consideration when it comes to protecting IP is employee behavior. The last thing any business person wants is for IP to walk out the door due to lack of knowledge, leaks or just plain theft. When a takeover is imminent, the first thing many employees worry about is job security, and that’s when they might download as much information as they can in readiness for separation. There have been many stories and rumors of “runaway startups” borrowing source code of the new parent company after acquisitions to take elsewhere. In most cases, this theft is invisible to the eye of IT, given the many routes of transfer: USBs, Dropbox, external drives, etc. Less sinister is the data that is innocently spread across networks and cloud apps, outside the visibility of IT, at risk of loss, leaks or non-compliance.

While the majority of IP loss is rather innocent (“I worked on that PPT deck; I am taking it with me”), some are more malicious. Nearly 60 percent of employees who quit a job or are asked to leave take with them some company data, according to report by the Ponemon Institute. A poll of 4,000 employees in the UK, Germany, U.S. and Australia found that for $7,700, 25% would sell off sensitive data, potentially risking both their job and criminal convictions in the process. The number of employees open to bribes increased to 35% when the offer was increased to $77,000. But a small minority of workers (3%) would sell private information for as little as $150, according to a poll sponsored by net security firm Clearswift. This may increase in likelihood for employees who are separating from their employers under negative circumstances or an unfriendly acquisition.

How a company safeguards data on an everyday basis says much about how ready they are for a disruptive business event like a merger or acquisition. Does IT have visibility of data residing on far-flung networks, cloud apps, and endpoints? When an acquisition does occur, how quickly can the organization extend data protection and governance capabilities throughout the new user base? A level of “proactive” data governance can ensure that even in the most tumultuous of times it is business as usual when it comes to data protection, and the “corporate jewels” (your valuable IP) are never threatened or diluted.

CEOs and IT leaders can gain visibility into corporate data (where it resides, who has access to this data, where it is located on the network) with the right technology tools designed for mobile and cloud, scale and speed. Look for solutions that make it possible to:

Track data access and monitor system use for aberrant behavior.

Monitor users for normal access and potentially spot “hoarding” as it occurs. This should be done in conjunction with regular scanning of all systems for viruses and malware.

Collect, monitor and archive endpoint and cloud service data of the acquired company for IP loss prevention and assessment of data risks.

Place and manage legal holds across the new company’s end-user data sources, a common challenge in acquisitions

Account for data and tech devices your employees own. The proliferation of personal devices used for work purposes has led to a corporate environment where the personal co-mingles with the work. By allowing employees to use their own equipment, the employer loss a certain amount of control.

In the age of acquisitions and deal making, business leaders need to prepare ahead to protect and monitor valuable corporate data, no matter where it resides (servers, endpoints or cloud apps). It’s just smart business in today’s dynamic times.